Prerequisites
Your parent workspace must already be onboarded
You need Organizational Admin or Workspace Admin role in ContraForce
Your customer must provide Global Administrator credentials for consent
Pop-up blocker disabled for
portal.contraforce.comStep-by-Step
Create the customer workspace
From the Workspace Manager (left sidebar), click + Add Workspace. Enter the customer’s organization name. You can also use Pre-Onboarding to create the workspace before the customer is ready to consent.
Launch the onboarding wizard
Open the new workspace, then go to Settings → Workspace Settings → Module Configuration. Click Start Onboarding and select the module (XDR or XDR + SIEM).
Consent to enterprise applications
The customer’s Global Administrator must complete the consent flow. Two applications are required for every workspace:
- ContraForce API
- ContraForce Portal
You can share a consent link with the customer if they prefer to complete this step themselves.
Configure Azure resources (XDR + SIEM only)
If deploying the Sentinel module, the customer needs Subscription Owner access to deploy Azure resources. Select their subscription and resource group, then click Deploy.
Authorize Gamebook actions
Complete the Gamebook authorization step to enable response actions against the customer’s tenant.
Assign users and groups
Add your SOC analysts to the customer workspace with appropriate roles. If you want the customer to have visibility, add their users with Incident Analyst (read-only) or Incident Responder roles.
Configure notifications
Go to Settings → Notifications to set up email alerts for incidents in this workspace. Customize by severity level.Full notification customization requires the XDR + SIEM module.